Oracle: data breach with billions of entries reveals huge tracking network


Largely unnoticed by the public, the database company Oracle has followed the traces of online users and set up an extensive tracking network. A massive data glitch has now given insights into the corresponding activities of the Silicon Valley group. The security researcher Anurag Sen discovered the breakdown. On an unsecured, password-free server, the expert came across a directory with billions of personal data records that were open to everyone.

Don’t miss any news! With our daily newsletter you will receive all heise online news from the past 24 hours every morning.

  • Subscribe to the newsletter now

Sen has now informed Oracle about his explosive find, the gaping security gap is closed again, according to the company. The US magazine TechCrunch had previously had the opportunityto check the database about the informants turned on. This contained names, addresses, email addresses and other personal data of users from all over the world. These included sensitive browsing histories, which ranged from shopping tours on the web to unsubscribing from newsletter subscriptions.

“It can hardly be described how revealing some of this data can be,” Bennett Cyphers of the US civil rights organization Electronic Frontier Foundation (EFF) told the online service. Fine-grained records of people’s browsing habits could reveal hobbies, political preferences, income brackets, health status, sexual preferences, and other personal details. The meaningfulness increases constantly, “because we spend an increasing part of our life online”.

According to the report, the extensive user traces that were leaked to the outside world as non-pseudonymized raw data were gathered primarily by its subsidiary BlueKai. The company bought the start-up in 2014 for a good $ 400 million. Although it is hardly known outside of marketing circles, it has built up a large relevant advertising network using cookies and other tracking tools such as sniffing pixels on websites including porn portals and in HTML emails. In the associated market for profiling and personal advertising, Google with its DoubleClick, Facebook and Amazon networks are considered to be even larger data collection machines.

Given the sheer size of the exposed database, TechCrunch speaks of one of the “biggest security holes this year”. They even found records with details of some of the very private online purchases that went back to August 2019. A data record describes in detail how a German identified by name used a prepaid card on April 19 to place a 10 Euro bid on a website for e-sports betting. The records should also include the man’s address, phone number, and email.

As another example, the magazine mentions entries from one of the largest Turkish investment companies. It can be traced back, for example, that a user from Istanbul bought furniture from an online supplier for $ 899. Interested parties, among others for dash cams, were also easy to find personally.

According to California law and the General Data Protection Regulation (GDPR), Oracle would have been obliged to inform the responsible regulatory authorities about the leak within a short period of time. According to the report, the group has so far failed to do so. The GDPR provides for fines of up to 20 million euros or four percent of a company’s annual turnover.

According to industry experts BlueKai tracks around 1.2 percent of all web traffic and works with the operators of some of the largest websites and online services such as Amazon, ESPN, Forbes, Levi’s,, Rotten Tomatoes and the New York Times. Irony in the story: Even in the TechCrunch article there is a BlueKai tracker because the parent company Verizon Media is one of the company’s partners. Ultimately, almost every media site that is wholly or partly financed by advertising relies on relevant methods for user analysis.

In Germany, the data protection supervisory authorities emphasized for the first time two years ago that trackers such as Google Analytics and cookies, even in pseudonymized form, are only permitted with the express and informed consent of the users. Ulrich Kelber, the Federal Data Protection Commissioner, complained last year that the data tapped by user systems and the profiles formed from them were not only used for advertisements.


To home page